Using Awareness Training for GDPR Compliance

Gillian Loones
By: Gillian Loones Awareness training | 7 December

The introduction of the GDPR in the EU has had many far-reaching consequences for small and large organisations alike. Many organisations are still uncertain about how to exactly implement the GDPR in their daily operations. Additionally, failing to comply with the GDPR can have grave consequences, ranging from heavy fines to serious security breaches. That’s why it’s important that everyone in the organisation knows how to deal with data on a day-to-day basis. In this blog, we’ll talk about how awareness training might prove useful for GDPR compliance.

Table of content

The GDPR still causes a lot of confusion

The GDPR was introduced by the EU in May 2018 to better inform consumers about how their personal data is used and to enforce better data handling and protection in organisations.

As a result, the GPDR introduced many rules regarding the handling of personal data and the prevention of security breaches. These rules are enforced under threat of large monetary sanctions for non-compliant organisations.

Even though the GDPR has now been in effect for over 2 years, many people are still confused about how it affects them and their organisation. For instance, it can still be unclear what constitutes personal data, what actual good data handling practices are, or what the consequences of not complying with the GDPR can be.

This already requires a lot of effort to enforce the GDPR and to have IT experts to keep up with, so it is only normal that many members of the team are a bit lost on how to deal with the GDPR and personal data in their work.


Personal data includes a lot of things

Let us briefly illustrate how confusing personal data can be. Many people likely don’t quite know what personal data means – other than it is information about a person. It quickly gets complicated when you start asking questions like: Is your shoe size categorised as personal data? And what about your hair colour?

Using AWT for GDPR compliance-1


Personal data is a lot of things and it can be unclear what exactly is or is not considered personal data. Almost everyone in your company comes in touch with personal data every day however, so it is important that they understand what it is.


We’ll briefly define personal data here. You can read much more about it in some of our other blog posts

The GDPR defines personal data as:

“information that relates to an identified or identifiable individual” 

In other words: If any piece of information is about a particular person or leads to a particular person, then it is considered personal data.

As you can see in the image, personal data includes a lot of things! Even shoe size and hair colour can be included. I’m sure you can think of many more examples that aren’t shown here.

It’s important to note that personal data doesn’t only include text. An audio recording, a photo, or a video with identifiable information is personal data as well.


Read more: Posting pictures and videos online


Not all personal data is equal: regular vs. sensitive personal data

Unfortunately, the confusion does not end there. Personal data can further be divided into two categories, depending on how sensitive a piece of information is. It is important that your team can recognise sensitive personal data because stricter rules apply for handling it. This is due to that fact that a breach in such sensitive data could have more significant consequences for the people affected. It could for example lead to discrimination or threats of physical harm.

Regular personal data


    • Name

    • Gender

    • Address

    • E-mail

These do not necessarily require permission to be handled, but you still need to be considerate and use common sense.

Special categories of personal data


    • Political belief

    • Religious belief

    • Ethnic background

    • Health-related information

    • Sexual relationships

    • Trade union membership

These are sensitive personal data, and any handling requires special attention – and often permission.



A good way to remember how to properly handle personal data is to think of it as something you are borrowing from a friend, illustrated in the poster here. You can download this poster and others from here.

Now you know what personal data is. You also know that it is important to safely handle personal data. The key question of course is: does everyone else in the company also know that? And if they do, do they know how to go about it?

It is indeed very important that this knowledge rests not just in the IT department but that all staff in the organisation are aware of it and know how to act on it. However, as we mentioned earlier, it can be difficult for staff to keep up with data regulations on their own.

To illustrate the importance of this, let us look at what could happen when safe data handling practices are not well understood.

Most security breaches are due to human error, but they don’t have to be

A security breach generally means that some or all personal data that is handled in the organisation is, accidentally or maliciously, released outside the organisation.

When people think about security breaches, think about malicious, expert hackers attacking the organisation’s IT systems and stealing data. 

However, often security breaches happen due to human error. This problem has two sides. One side is people making mistakes or handling data trivially because they lack knowledge about the importance of safe data handling practices. For example:

  • An email is sent to the wrong person

  • Data is displayed to unauthorized persons

  • Data is left unattended

  • Wrong access is granted

  • Data is stored incorrectly

  • A device is stolen or shared

  • Documents with information are printed incorrectly and/or may be forgotten

On the other hand, people being unaware means that most hacking attacks try to exploit humans instead of IT systems. Thus, they are more likely to fall prey to social engineering attacks, such as phishing emails, that may lead to a data breach.

Of course, technical cybersecurity remains a vital part of keeping your organisation safe. Various technical tools can be used to reduce the risk of security incidents, like:


However, while technical tools certainly succeed at being very complex, they are not 100% effective at keeping out all threats. They are only half the battle and cannot improve:

  • Staff behaviour: e.g., a firewall won’t prevent staff from granting wrong access.

  • Unclear processes when it comes to handling personal data.

  • Lack of knowledge about cybersecurity.

These are things that only the staff themselves can fix and prevent. And luckily, all staff are easily capable of this, given the right tools and training.

Your strongest defence against security incidents is a comprehensive awareness among all staff combined with clear processes for handling data. Simply put: all staff need to clearly understand the what and how of GPDR and personal data.

Awareness training: turning your team into your strongest defence

Awareness training is one of the tools your organisation can use to greatly improve your team’s knowledge about cybersecurity and safe data handling. It’s also needed to be GDPR compliant:

  • Article 39 requires that your data protection officer raises awareness and provides training to staff who are involved in data processing

  • Article 43 requires that staff who have permanent or regular access to personal data receive data protection training

As we described earlier in this blog post, personal data can be complicated. You cannot expect that all staff are experts in the GPDR. Therefore, an awareness training programme that regularly provides staff with clear, simple, and practical explanations and examples about how to safely handle personal data can be of great help in improving staff behaviours.

Furthermore, when people are aware of the dangers that cybercriminals pose, they are more likely to detect phishing attacks and less likely to make other errors, such as storing data incorrectly.

Next to awareness about cybersecurity and the importance of safe data handling, staff also need to be aware of the specific processes and responsibilities regarding information security in your organisation. Simply put, it is the task of the IT department and the management team to set up clear processes that staff can follow and to appoint people that can function as a central point of advice regarding everything relating to GDPR and information security.

The organisation needs to establish:
  • Clear data handling processes to ensure staff always act with information security in mind.

  • A person responsible for GDPR and information security who can help staff and acts as a central point of contact regarding security incidents

The staff need to be aware of:
  • Cybersecurity and the dangers of cybercriminals

  • The data handling processes in the organisation and the GDPR

  • The need to always report potential security incidents and to seek help from the person responsible for GDPR when they have any uncertainties or suspicions


Awareness training helps you achieve GDPR compliance and other cybersecurity certifications

GDPR compliance is top of mind for most organisations, and there are several frameworks that organisations use to help them maintain and document GDPR compliance. For example, some are industry-specific, and others are country-specific. Not all cybersecurity frameworks ensure GDPR compliance, but some of the frameworks’ requirements overlap with the GDPR and many frameworks require awareness training.

Below, you can see a few of the additional cybersecurity frameworks that organisations are using in their GDPR work and how awareness training fits into each of them.




Awareness Training Requirement

ISO 27701

An extension of ISO 27001, which is an international standard for information security practices. ISO 27701 has additional requirements regarding personal data that ensure GDPR compliance Clause 7.2.2 requires that all company workers and necessary contractors receive awareness education and training
ISAE 3000 GDPR A specific version of the ISAE 3000 that includes GDPR requirements for compliance. Depending on the amount of personal data your organisation processes, you would comply with either ISAE 3000 High (for high levels of personal data) or ISAE 3000 low (for low levels of personal data) Requires the relevant training of personnel
CIS (Center for Internet Security Critical Security Controls) Best practice guidelines for computer security with a list of actions organisations should take to prevent attacks Control 14 requires a security awareness program to be created and maintained
ISO 27001 and 27002 International standard with best practice guidelines for information security management systems Clause 7.2.2 requires that all company workers and necessary contractors receive awareness education and training
NIST U.S. based framework with information security guidelines that organisations that do business with the U.S. federal government must comply with To comply, an organisation’s managers, systems administrators, and systems users must be aware of security risks. Awareness training should cover how to recognize and report threats
CMMC Soon to replace NIST in the U.S. Used for entities doing business with the U.S. government There are several levels for compliance. Level 2 and above, which indicates a minimum intermediate cyber hygiene, require awareness training
ISRS 4400 Similar to ISAE 3000, but the ISRS 4000 is based only on the criteria that the auditor is asked to verify Requires the relevant training of personnel


Awareness training can be implemented in a variety of ways

Getting started with awareness training is easier than you might think. It all comes down to giving people knowledge about personal data and cybersecurity in a way that they can easily understand and remember it.

That’s why it’s a good idea to transfer this knowledge in multiple ways and through multiple channels, to really make awareness about cybersecurity present in everyone’s mind.

You could, for example, combine various forms of e-learning and classroom learning. E-learning to achieve a certain continuity and to encourage staff to learn at their own pace. Classroom learning to exchange ideas and put knowledge into practice. You can read more about how to optimally combine these two forms of learning here.

However, there are many more possibilities for organising a good awareness training programme. You can get pretty creative if you want to, for example with the use of gamification elements. Below we list some examples of different awareness training formats:

E-learning: Short online learning modules consisting of videos, text, quizzes, and more. 

Classroom learning: Longer sessions given by an instructor. This can encourage discussion or to invite an expert. 

Simulations: Phishing and other cybersecurity simulations give people the opportunity to practice their knowledge in realistic security incident situations. 

Workshops: For example, a workshop where staff can place themselves in the shoes of a cybercriminal and learn to understand how a cybercriminal thinks. 

Freely available online material: There are many learning sources and other materials available online for free. This ranges from YouTube videos to government campaigns to posters and diagrams you can hang up around the office. 

See for example this free material from ENISAthe European Union Agency for Cybersecurity or this free video series from NCSA, the United States National Cyber Security Alliance. 

Group activities & games: These can be in a variety formats, for example an escape room or a Cluedo-like scenario where the team must figure out how and by whom the company was infiltrated. 

Just know that there are many more possibilities of organising awareness training. You can choose the formats that best fit your organisation and needs, as long as you ensure that it adds value to your team. A good awareness training is one that staff do not see as a burden, but one they may even look forward to.

Successfully applying awareness training techniques results in staff that are intuitively aware of what they need to do in their own daily workflow to comply with the GDPR, while also improving the general cybersecurity in the organisation. In the end, staff who are aware might just turn out to be your strongest line of cyber defence! You can read more about measuring the effect of your awareness-training here.